SYSTEM_PROCESS_INFORMATION has wrong declaration ! - It's right !?

Question

Hello.
I want to write program for showing all processes in system (hidden processes too), and I know that need to use function ZwQuerySystemInformation.
So, I use it, but I can't get the needed information from an array of structures SYSTEM_PROCESS_INFORMATION. I have found in Internet a lot of information about this structure, but all information is too different. MSDN wrote, but it information maybe wrong, because I can't get some right data.
In some of the topics from the Internet has been written, that information from MSDN isn't full and the right information one can be find in DDK documentations, but I haven't found there it information generally ...
Please tell me, where I can find right information about this structure.
TIA.
---
Regards, Eugene.

Answer 1

Vague question. You are looking for the "right information". Hard to advise unless you tell us what it is.

Answer 2

Oh ... Sorry ... If I vaguely expressed ...

I have found too much information about declaration SYSTEM_PROCESS_INFORMATION structure ...

Below some from them ..

typedef struct _SYSTEM_PROCESS_INFORMATION 
{
 ULONG NextEntryOffset;
 ULONG NumberOfThreads;
 LARGE_INTEGER Reserved[3];
 LARGE_INTEGER CreateTime;
 LARGE_INTEGER UserTime;
 LARGE_INTEGER KernelTime;
 UNICODE_STRING ImageName;
 KPRIORITY BasePriority;
 HANDLE ProcessId;
 HANDLE InheritedFromProcessId;
 ULONG HandleCount;
 ULONG Reserved2[2];
 ULONG PrivatePageCount;
 VM_COUNTERS VirtualMemoryCounters;
 IO_COUNTERS IoCounters;
 SYSTEM_THREAD Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;<br/>

typedef struct _SYSTEM_PROCESS_INFORMATION 
{
    ULONG NextEntryOffset;
    BYTE Reserved1[52];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION; 

typedef struct _SYSTEM_PROCESS_INFORMATION 
{
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    HANDLE InheritedFromUniqueProcessId;
    ULONG HandleCount;
    ULONG SpareUl2;
    ULONG SpareUl3;
    ULONG PeakVirtualSize;
    ULONG VirtualSize;
    ULONG PageFaultCount;
    ULONG PeakWorkingSetSize;
    ULONG WorkingSetSize;
    ULONG QuotaPeakPagedPoolUsage;
    ULONG QuotaPagedPoolUsage;
    ULONG QuotaPeakNonPagedPoolUsage;
    ULONG QuotaNonPagedPoolUsage;
    ULONG PagefileUsage;
    ULONG PeakPagefileUsage;
    ULONG PrivatePageCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

Because I asked: which structure had correct declaration ?
When I use declaration from MSDN, my program works without ERRORS, but I can't or don't know how to get some fields from structure, for example: ImageName, KernelTime, UserTime, etc.
If I use any declarations apart from MSDN - my program calls exceptions, but I don't know what and where here is, for example: ImageName, KernerTime, UserTime, etc.
The code program is below:

        bool res = false;
        SYSTEM_PROCESS_INFORMATION *Prev = NULL;
        LPVOID SPI = VirtualAlloc( NULL, 80000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
        memset( SPI, 0, 80000 );
        if ( SPI == NULL ) return false;
        DWORD ResLength = 0x00;
       	NTSTATUS status =  NtQuerySystemInformation(
        	SystemProcessInformation,
                SPI,
                80000,
                &ResLength );
        if ( status != 0xC0000004 )
        {
        	while ( ( ( SYSTEM_PROCESS_INFORMATION* )SPI )->NextEntryOffset > 0 )
                {
                	Prev = ( SYSTEM_PROCESS_INFORMATION* )SPI;
                        // EXCEPTION
                        ( ( SYSTEM_PROCESS_INFORMATION* )SPI ) += ( ( SYSTEM_PROCESS_INFORMATION* )Prev )->NextEntryOffset;
                        /*
                        	// will be something, but now here is empty ...
                        */
                }

        }
        VirtualFree( SPI, 0, MEM_RELEASE );
        return res;

So, I would be know ... How to get correct information from structure and which structures are correct for work with function ZwQuerySystemInformation ?
TIA.
---
Regards, Eugene.

Answer 3

Hi Eugene,

Based on my understanding, SYSTEM_PROCESS_INFORMATION structure defines in MSDN is correct, as following shows:

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    BYTE Reserved1[48];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
    PVOID Reserved3;
    ULONG HandleCount;
    BYTE Reserved4[4];
    PVOID Reserved5[11];
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION;

As this structure shows, it does not include ImageName, KernerTime, UserTime. If you want to use these variables, you can use other structures, such as SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION.

Best Regards,
Nancy

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.